Setting up Easy VPN in Cisco Configuration Professional, external access problems!
Hi
I have a Cisco 857 router which is flashed with Cisco Configuration Express 2.6.
Cisco Configuration Professional 2.6 is installed on my PC and I'm trying to configure Easy VPN for access away from the office.
The steps I have taken are as follows:
1) I launched the Easy VPN Server Wizard
2) IP address of Virtual Tunnel Interface is unnumbered to Vlan1 from the drop down menu - Authentication, Pre Shared Key
3) IKE Proposals set to the default option thats already there
4) Transform set is the default which is already there
5) Method list for group policy Lookup is LOCAL
6) User authentication is LOCAL ONLY, the admin account shows up in ADD USER CREDENTIALS which is the account i'm going to test the connection with
7) I have set up a GROUP POLICY which i've named, created a PRE SHARED KEY, created an IP address pool & subnet mask to the same range as the routers addresses and left all other options to default
8) I left cTCP unticked and disabled
9) I delivered the commands succesfully
10) I click TEST VPN SERVER and get 3 ticks successful for Server configuration, dependant components & Firewall
11) I open the cisco client and access the VPN internally using the routers LAN address, it prompts for my user name and password, I type it in and connect successfully
12) When I go home I configure my client to the same settings except I change the LAN address for the external WAN ip address, but I get an error message which says "Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding"
VPN Client settings are as follows
Group Authentication
Enable Transparent Tunneling- IPSec over UDP (NAT / PAT)
Currently I have a dynamic external IP address, I intend to get a static one once I know I can get this to work.
I would be extremely greatful if someone could help me solve this issue and work out why I can't connect externally.
I have no knowledge of CLI but will use it if given some instructions.
Thanks.
P.S. I have turned off all antivirus and firewall programs on the client computer when trying to connect.
Your nat exemption acl is backwards...
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
should be...
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Similar Messages
-
ISM-SRE-300-K9 & Cisco Configuration Professional Issue
hi there,
i have a cisco 2901 router running CME 8.6 the router has a ISM-SRE-300-K9 card init with Unity Express 8.0.5 installed.
i am having issues with Cisco configuration professional and configuring the module
under module configuration the status is "module is not reachable", if i click on details i get further information "unable to execute command from the module. module is either reloading or is in failed state. you must make the module up and refresh the module"
i have tried reloading, resetting and refreshing the module but the issue is still present
i have accessed the module from the CLI set it in offline mode and factory defaulted it and the same issue is still present
the only thing i can think is that this is a bug with CCP as the loopback interface which the module is using can be pinged fine from the router so the message makes no sense.
any ideasIs you problem with CCP or the module itself ?
Because, CCP bugs and limitations aside, the module can be normally be installed, configured and managed using CLI or its web interface (after software is initially loaded). -
Can't launch Cisco Configuration Professional on Windows Vista x64
The Help is necessary to resole the issue (see subject).
Tech enveronment
Windows Vista x64
Adobe Reader X ver. 10.1.0 (Russian)
Cisco Configuration Professional 2.5
JRE 6 update 27
JRE 6 update 27 (64-bit)
Internet Explorer 9.0.8112.16421IS
While launch CCP popup the message box :
"Unable to read the resource file. The file could be corrupted. Please re-install Cisco Configuration Professional to resolve the issue."
Ones (never popup after) Popup the message box (InstallShield Wizard):
Adode Reader is not present on the PC. It is required to view the PDF file.
Also the message box InstallShield Wizard:
Internet Explorer with javaplug-in version 1.6.0_11 Cheked
Adobe Flash Player version 10 Cheked
Memory 1 Gb Cheked
Screen Resolution 1024x768 Cheked
Cuted _cpinstaller_004.log file:
Product : Cisco Configuration Professional version 1.0
10-4-2011 16:48:31 LOG : Command line options =
10-4-2011 16:48:31 LOG : GetOS: OS Windows Vista
10-4-2011 16:48:31 LOG : GetOSServicePack: service pack 2
10-4-2011 16:48:31 LOG : GetIEVersion: IE version 9.0.8112.16421
10-4-2011 16:52:51 LOG : CheckCCPPorts: WARNING 80 is not a registered HTTP port
10-4-2011 16:53:27 ERROR : SetRunAsAdmin: ERROR REG_APP_COMBAT_LAYERS_ROOT could not be created.
10-4-2011 16:53:46 LOG : GetJavaIEPluginVersion: java IE plugin version 1.6.0_27
10-4-2011 16:53:47 LOG : GetFlashPlayerVersion: flash player version 10
10-4-2011 16:53:47 LOG : GetScreenResolution: screen resolution 8
10-4-2011 16:54:14 LOG : OpenPDFFile: Adobe reader could not be found on system.
10-4-2011 16:56:17 LOG : OnEnd: installation successfully completed.Hi,ngoldwat!
Yes, off cource, I've tried to launch CCP with Administartor rights - no success.
I have re-installed CCP under Local Admin and launched it. Great!!! It works! But, one of but, the app does not launch from domain user while I use Run as Administrator. I think the issue in the permission and/or user's profile.
Thanks ngoldwat! You have helped me. -
Can Cisco Configuration Professional to use IPS feature ?
Dear Expert
Hello.
Could you tell me about Cisco Configuration Professional.
I'd like to try the IOS-IPS on Cisco2901-SEC/K9.
I was search in CCO about Cisco Configuration Professional.
The Cisco2901-SEC/K9 does not support SDM.
But, The Cisco2901-SEC/K9 supported the Cisco Configuration Professional.
Can Cisco Configuration Professional to use IPS feature like SDM?
Regards,
Takuro.Hi,
yes, you can configure IOS IPS from Cisco Configuration Professional.
CCP has a wizard to guide you through the process, this is a link for that :
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html
i hope this helps you.
Mashal -
Cisco Configuration Professional on Windows 8.1
Trying to run CCP 2.7 on Windows 8.1. I've already changed the compatibility view settings and the program launches just fine and the view is correct. I am not able to type anything in any of the field. I think this may be due to a Java version or setting. I have downgraded my jave to JRE 1.6.0_11. Any help would be great. What am I missing. Thanks in advance.
I already had the setting in Java and added localhost in IE. Same result. Program will launch but when trying to add devices to the community, I am unable to type anything in any of the fields.
What else would you suggest I use to manage my devices? Consider I am not friendly with IOS commands and need a GUI interface. Thanks. -
Cisco Configuration professional corrupt
I downloaded the full zip from http://tools.cisco.com/support/downloads/go/Model.x?mdfid=281795035&mdfLevel=null&treeName=Routers&modelName=Cisco%20Configuration%20Professional&treeMdfId=268437899
from the 1st link, but it seems to be corrupt. The 2nd link gets to the download page but then redirects away to say its not available. What gives?I sent a message to thier web-help support address. If I hear back I'll post.
-
Cisco Configuration Professional Error
I just start using CCP .. and It is only opening to half or 1/3 of the ie window. updated adobe no juice. Java? Need some help!!!!! Kind of frustrated since i have trying to get it work for past 1 week.
The solution for this was covered in the Network Management forum at this thread.
-
Cisco Configuration Professional - Takes lot of time on discovering
Dear All,
We are using CCP since a long time without any issue but suddenly it takes a lot of time to discovering a single device than usual.
Can anyone help me on this?
Thanks.Dear All,
We are using CCP since a long time without any issue but suddenly it takes a lot of time to discovering a single device than usual.
Can anyone help me on this?
Thanks. -
Cisco Configuration Professional - Monitor - Traffic Status - Application traffic view
Installed the Latest version of CCP. Noticed that it use Internet Explorer as the default browser.
Current issue - Monitor - Traffic Status - Application traffic view show a window that is to large for my current screen,
I've tried several options to make it more viewable, but no luck.
Screenshot, Explaining the issue - Notice the difficulty to view the graphs
Any advice will be appreciated.
PhilipI've manage to fix it by changing the zoom on Internet Explorer
-
Easy VPN Server? Hmmm.. Not so Easy...
I used the Cisco Configuration Professional to add an Easy VPN Server to my 3825. I'm able to connect when remote but I can't ping the default gateway of 192.168.1.1 which is in the same network as the VPN DHCP pool. I can access every single other device on the VLAN segments but not the default gateway which means when i connect I can't look at my router. And there's more, I cannot ping anything offnet (ie 75.75.75.75). Below is my config. Attached are some images which show some details from the client during the VPN connect and a few from the router (i had to use the lan switch as a jump host). If you can figure this out before I go back to the coffee shop to test this tomorrow I will send you a cake.
One thing I just thought of, does the virtual-tempalte 1 interface have to have "nat inside" applied?
Current configuration : 12356 bytes
! Last configuration change at 17:21:16 EDT Sat Nov 24 2012 by cluettr
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router-wan
boot-start-marker
boot system flash:c3825-advipservicesk9-mz.151-4.M5.bin
boot-end-marker
logging buffered 100000000
enable password xxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone EDT -4 0
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 172.16.2.1 172.16.2.199
ip dhcp excluded-address 172.16.3.1 172.16.3.199
ip dhcp excluded-address 172.16.4.1 172.16.4.199
ip dhcp pool 192.168.1.0
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
lease infinite
ip dhcp pool 172.16.2.0
network 172.16.2.0 255.255.255.0
dns-server 172.168.2.1
default-router 172.168.2.1
lease 0 4
ip dhcp pool 172.16.3.0
network 172.16.3.0 255.255.255.0
dns-server 172.16.3.1
default-router 172.16.3.1
lease infinite
ip dhcp pool 172.16.4.0
network 172.16.4.0 255.255.255.0
dns-server 172.16.4.1
default-router 172.16.4.1
lease 0 4
ip dhcp pool 172.16.5.0
network 172.16.5.0 255.255.255.0
dns-server 172.16.5.1
default-router 172.16.5.1
lease infinite
ip cef
ip domain name robcluett.net
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
voice service voip
allow-connections sip to sip
sip
registrar server expires max 600 min 60
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-423317436
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-423317436
revocation-check none
rsakeypair TP-self-signed-423317436
archive
log config
hidekeys
vtp domain robcluett.net
vtp mode transparent
vtp version 2
username xxxxxxx privilege 15 secret 5 $1$q8RN$N/gL80J2Rj9qOILvzXPgS.
redundancy
vlan 3-5
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group cisco
key xxxxxxxxxxxxxxxxxxxx
dns 75.75.75.75
domain robcluett.net
pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
description "VPN Default Profile for Group Cisco"
match identity group cisco
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
client configuration group cisco
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
description "Circuitless IP Address / Router Source IP"
ip address 172.16.1.1 255.255.255.254
interface GigabitEthernet0/0
description "WAN :: COMCAST via DHCP"
ip address dhcp client-id GigabitEthernet0/0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type rj45
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no mop enabled
interface GigabitEthernet1/0
description "Uplink to switch-core-lan (Catalyst 2948G-GE-TX)"
switchport mode trunk
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description "LAN :: VLAN 1 :: PRIVATE 192.168.1.0"
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan2
description "LAN :: VLAN 2 :: PUBLIC 172.16.2.0"
ip address 172.16.2.1 255.255.255.0
ip access-group 102 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan3
description "WLAN :: VLAN 3 :: PRIVATE SSID=wlan-ap-private (not broadcast)"
ip address 172.16.3.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan4
description "WLAN :: VLAN 4 :: PUBLIC SSID=wlan-ap-public"
ip address 172.16.4.1 255.255.255.0
ip access-group 104 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
rate-limit input 1024000 192000 384000 conform-action transmit exceed-action drop
rate-limit output 5120000 960000 1920000 conform-action transmit exceed-action drop
interface Vlan5
description "EDMZ :: VLAN 5 :: 10.10.10.0"
ip address 10.10.10.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan6
description "IDMZ :: VLAN 6 :: 10.19.19.0"
ip address 10.19.19.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan7
description "LAN :: VLAN 7 :: Voice 172.16.5.0
ip address 172.16.5.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip local pool SDM_POOL_2 192.168.1.200 192.168.1.254
ip forward-protocol nd
ip flow-export source Loopback0
ip flow-top-talkers
top 10
sort-by bytes
ip dns server
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.10.10.51 443 interface GigabitEthernet0/0 443
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 2
logging trap debugging
logging source-interface Loopback0
access-list 2 remark NAT
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 172.16.2.0 0.0.0.255
access-list 2 permit 172.16.3.0 0.0.0.255
access-list 2 permit 172.16.4.0 0.0.0.255
access-list 2 permit 172.16.5.0 0.0.0.255
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit 10.19.19.0 0.0.0.255
access-list 100 remark WAN Firewall Access List
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit tcp any any eq www
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any any established
access-list 100 deny ip any any log-input
access-list 102 remark VLAN 2 Prevent Public LAN Access to Other Networks
access-list 102 deny ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 102 permit ip any any
access-list 104 remark VLAN 4 Prevent Public Wifi Access to Other Networks
access-list 104 deny ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 104 permit ip any any
access-list 105 remark VLAN 5 Prevent EDMZ Access to Other Networks
access-list 105 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 10.19.19.0 0.0.0.255 log
access-list 105 permit ip any any
snmp-server trap-source Loopback0
snmp-server location xxxxxxxxxxxxxxxxxxxxx
snmp-server contact xxxxxxxxxxxxxxxxxxxxxxx
control-plane
mgcp profile default
telephony-service
max-conferences 12 gain -6
web admin system name cluettr password 11363894
dn-webedit
transfer-system full-consult
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
transport output all
line vty 5 15
transport input telnet ssh
transport output all
scheduler allocate 20000 1000
ntp logging
ntp source Loopback0
end
router-wan#I was under the impression that using the virtual template and ip unnumbered allows the interface to respond to the DHCP IP provided to Gi0/0 by my ISP. If I were to make, say, VLAN 1 the VPN interface how would I then access it from the WAN given that it has a Nat'd LAN IP? I guess port forwarding would work if that would have to be in addition to using a VLAN?
> Here's a follow up question which you or someone might be able to answer for me. Sorry for dumping the added question on you. My ultimate goal is to have a WAN accessible VPN and a VPN residing on the local LAN. Reason is so I can secure with encryption any wifi clients I have on the LAN (preventing man-in-the-middle attacks) and be secured at, for exmaple, a coffe shop. I'm not sure if there's a means to have the same configured VPN work when attached locally or remotely? And if roaming in regards to a VPN is something that can be acheived...
As an aside my reason for going to these lengths for security are valid. I've recently encountered a situation where I was hacked (this is my home network) using a MIMA and what I assume to be SSLstrip or some derivative to obtain my email address and password. Wasn't fun, wasn't pretty. -
How can I set up a VPN on my mac?
I am trying to set up a VPN cnnection so that I can access my work from my mac. The system there is Windows based. I have found articles about how to set up a VPN on a mac but there doesn't appear to be an area to put the static IP address or the computer IP address. Any help would be appreciated!
Have read the printer manual, it will contain instructions for connecting it to a network, and then to your Mac. You don't identify this printer so it's difficult to be more specific.
You can also go to the printer manufacturers website and seek assistance there. -
Cisco 876w: wlan client - routing problem
I configured a Cisco 876w to connect to an existing WLAN as a client. Now I would like to connect 3 PCs to the 876w which should be able to access the internet via the 876w.
Problem:
Being at the console (ssh) of the 876w, I can ping hosts in the internet (even with their name like www.google.com) but when I'm using a client PC, I can't... What am I missing here? Could it be a NAT problem?
Config:
Internet <---> DSL Router 192.168.1.1 (and WLAN AccessPoint) <---> Cisco 876w (gets IP per DHCP, VLAN1 IP: 10.10.10.1) <---> PC (10.10.10.101)
Current configuration : 9897 bytes
version 12.4
no service pad...dot11 vlan-name wlan-lan vlan 1
dot11 ssid WLAN
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 0923467F1B2E52789807132F7A202E3D31
no ip source-route
ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp excluded-address 10.10.10.101 10.10.10.254
ip dhcp pool ccp-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name cisco.test.com
dns-server 208.67.222.222
ip cef
no ip bootp server
ip domain name test.com
ip name-server 208.67.222.222ip ddns update method sdm_ddns1
HTTP
add http://[email protected]/nic/update?system=dyndns&hostname=//[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://[email protected]/nic/update?system=dyndns&hostname=//[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
no ipv6 cef
multilink bundle-name authenticated
isdn switch-type basic-net3
username admin privilege 15 secret 5 $1$uiouLKjbLIUBlKbj
username service privilege 15 secret 5 $1$LKjblkJNBLKkjlbkm
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-cls--1
match access-group name AllowAny
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
inspect
class class-default
drop
zone security wan
zone security lan
zone-pair security sdm-zp-lan-wan source lan destination wan
service-policy type inspect sdm-policy-sdm-cls--1
interface BRI0
description <--
no ip address
ip flow ingress
ip virtual-reassembly
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-net3
isdn point-to-point-setup
ppp multilink!
interface ATM0
backup interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no atm ilmi-keepalive
interface ATM0.3 point-to-point
description <--
ip flow ingress
shutdown
pvc 1/32
pppoe-client dial-pool-number 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
description <--
no ip address
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid WLAN
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role non-root
no cdp enable
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip route-cache
no cdp enable
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security lan
ip tcp adjust-mss 1412
interface Dialer0
ip ddns update hostname blahblah.dnsalias.com
ip ddns update sdm_ddns1
ip address negotiated
ip nat outside
ip virtual-reassembly
zone-member security wan
encapsulation ppp
shutdown
dialer pool 1
dialer idle-timeout 600
dialer string 01919214124
dialer load-threshold 20 outbound
dialer watch-group 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname asfa
ppp chap password 7 128763520
ppp pap sent-username asfa password 7 0302141555
ppp multilink
interface Dialer2
ip ddns update sdm_ddns1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security wan
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname gast
ppp chap password 7 095B239876473F06090A
ppp pap sent-username gast password 7 1239847629873693D
router rip
network 10.0.0.0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
ip http access-class 23ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source list 106 interface Dot11Radio0.1 overload
ip access-list extended AllowAny
remark CCP_ACL Category=128
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended nix
remark tut nix
remark CCP_ACL Category=2
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=2
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=2
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=2
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
access-list 105 remark Alles
access-list 105 remark CCP_ACL Category=2
access-list 105 permit ip 10.10.10.0 0.0.0.255 any
access-list 105 permit icmp 10.10.10.0 0.0.0.255 any
access-list 105 permit udp 10.10.10.0 0.0.0.255 any
access-list 105 permit tcp 10.10.10.0 0.0.0.255 any
access-list 106 remark NAT wlan
access-list 106 remark CCP_ACL Category=2
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
access-list 106 permit icmp 10.10.10.0 0.0.0.255 any
access-list 106 permit udp 10.10.10.0 0.0.0.255 any
access-list 106 permit tcp 10.10.10.0 0.0.0.255 any
dialer watch-list 1 ip 208.67.222.222 255.255.255.255
dialer-list 1 protocol ip permit
no cdp run
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
#sh ip int brief
ndrmedienturm#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
BRI0 unassigned YES NVRAM standby mode/disabled down
BRI0:1 unassigned YES unset administratively down down
BRI0:2 unassigned YES unset administratively down down
Dot11Radio0 unassigned YES TFTP up up
Dot11Radio0.1 unassigned YES DHCP up up
ATM0 unassigned YES NVRAM administratively down down
ATM0.3 unassigned YES unset administratively down down
SSLVPN-VIF0 unassigned NO unset up up
Vlan1 10.10.10.1 YES NVRAM up up
NVI0 unassigned YES unset administratively down down
Dialer0 unassigned YES NVRAM administratively down down
Dialer2 unassigned YES NVRAM up up
Virtual-Dot11Radio0 unassigned YES TFTP up up
Virtual-Dot11Radio0.1 192.168.1.54 YES DHCP up upHi,
Just check it out few things from client are you able to ping the wan interface of the cisco 876w and when you ping the internt address from client pc what is the out put of the nat translation in router.
The command to check the same is show ip nat translation is packet is gettin translated or not.
Hope to Help !!
Ganesh.H -
Cisco 28xx easy vpn server & MS NPS (RADIUS server)
Здравстуйте.
Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
Ниже выдежка из сонфига cisco 2821:
aaa new-model
aaa authentication login rausrs local
aaa authentication login VPN-XAUTH group radius
aaa authorization network ragrps local
aaa authorization network VPN-GROUP local
aaa session-id common
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration address-pool local RAPOOL
crypto isakmp client configuration group ra1grp
key key-for-remote-access
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp client configuration group EasyVPN
key qwerty123456
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp profile RA-profile
description profile for remote access VPN
match identity group ra1grp
client authentication list rausrs
isakmp authorization list ragrps
client configuration address respond
crypto isakmp profile VPN-IKMP-PROFILE
description profile for remote access VPN via RADIUS
match identity group EasyVPN
client authentication list VPN-XAUTH
isakmp authorization list VPN-GROUP
client configuration address respond
crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
crypto dynamic-map dyn-cmap 100
set transform-set tset1
set isakmp-profile RA-profile
reverse-route
crypto dynamic-map dyn-cmap 101
set transform-set tset1
set isakmp-profile VPN-IKMP-PROFILE
reverse-route
crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
int Gi0/1
descrition -- to WAN --
crypto map stat-cmap
В результате на cisco вылезает следующая ошибка (выделено жирным):
RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
RADIUS: AAA Unsupported Attr: interface [157] 14
RADIUS: 31 39 34 2E 38 38 2E 31 33 39 2E 31 [194.88.139.1]
RADIUS(000089E0): Config NAS IP: 192.168.11.1
RADIUS/ENCODE(000089E0): acct_session_id: 35296
RADIUS(000089E0): sending
RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
RADIUS: authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
RADIUS: User-Name [1] 9 "EasyVPN"
RADIUS: User-Password [2] 18 *
RADIUS: Calling-Station-Id [31] 16 "aaa.bbb.ccc.137"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-Port [5] 6 1
RADIUS: NAS-Port-Id [87] 16 "aaa.bbb.ccc.136"
RADIUS: Service-Type [6] 6 Outbound [5]
RADIUS: NAS-IP-Address [4] 6 192.168.11.1
RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
RADIUS: authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
RADIUS(000089E0): Received from id 1645/61
MS NAS выдает ошибку 6273:
Сервер сетевых политик отказал пользователю в доступе.
За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
Пользователь:
ИД безопасности: domain\VladimirK
Имя учетной записи: VladimirK
Домен учетной записи: domain
Полное имя учетной записи: domain.local/Users/VladimirK
Компьютер клиента:
ИД безопасности: NULL SID
Имя учетной записи: -
Полное имя учетной записи: -
Версия ОС: -
Идентификатор вызываемой станции: -
Идентификатор вызывающей станции: aaa.bbb.ccc.137
NAS:
Адрес IPv4 NAS: 192.168.11.1
Адрес IPv6 NAS: -
Идентификатор NAS: -
Тип порта NAS: Виртуальная
Порт NAS: 0
RADIUS-клиент:
Понятное имя клиента: Cisco2821
IP-адрес клиента: 192.168.11.1
Сведения о проверке подлинности:
Имя политики запроса на подключение: Использовать проверку подлинности Windows для всех пользователей
Имя сетевой политики: Подключения к другим серверам доступа
Поставщик проверки подлинности: Windows
Сервер проверки подлинности: DC01.domain.local
Тип проверки подлинности: PAP
Тип EAP: -
Идентификатор сеанса учетной записи: -
Результаты входа в систему: Сведения об учетных данных были записаны в локальный файл журнала.
Код причины: 66
Причина: Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
Если кто практиковал подобное, прошу дать направление для поиска решения.Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
replace the authorization from radius to local
and
changing the encryption type in transform set
However, in your configuration, your configuration already have those changes.
Here you can check the same : https://supportforums.cisco.com/thread/2226065
Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
~BR
Jatin Katyal
**Do rate helpful posts** -
Setting up IPsec VPNs to use with Cisco Anyconnect
So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
NOTE: We are still testing this ASA and it isn't in production.
Any help you can give me is much appreciated.
ASA Version 8.4(2)
hostname ASA
domain-name domain.com
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 50.1.1.225 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.0.224_27
subnet 192.168.0.224 255.255.255.224
object-group service VPN
service-object esp
service-object tcp destination eq ssh
service-object tcp destination eq https
service-object udp destination eq 443
service-object udp destination eq isakmp
access-list ips extended permit ip any any
ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
object network LAN
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate d2c18c4e
308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 10
console timeout 0
management-access inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles VPN disk0:/devpn.xml
anyconnect enable
tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
wins-server value 50.1.1.17 50.1.1.18
dns-server value 50.1.1.17 50.1.1.18
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value digitalextremes.com
webvpn
anyconnect profiles value VPN type user
always-on-vpn profile-setting
username administrator password xxxxxxxxx encrypted privilege 15
username VPN1 password xxxxxxxxx encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool (inside) VPNPool
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
class-map ips
match access-list ips
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class ips
ips inline fail-open
class class-default
user-statistics accountingHi Marvin, thanks for the quick reply.
It appears that we don't have Anyconnect Essentials.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license? -
Hi All,
I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
2811 having C2800NM-ADVIPSERVICESK9-M
2811 router connects to the Internet SW then connects to the Internet router.
Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
Below is router config for VPN & NAT
crypto keyring ISR_Keyring
pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
keyring ISR_Keyring
self-identity user-fqdn [email protected]
match identity user vpn-proxy.websense.net
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER
access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any
ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overloadHow does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
Check
show crypto isakmp sa
show crypto ipsec sa
show crypto session
You'd better remove the preshared key from your post.
Maybe you are looking for
-
How to use a grayscale color model in converting a colored image
how to convert a colored image into grayscale using : ColorSpace cs = ColorSpace.getInstance(ColorSpace.CS_GRAY); int bits[] = new int[] {8}; ColorModel cm = new ComponentColorModel(cs, bits, false, false, Transparency.OPAQUE, DataBuffer.TYPE_BYTE);
-
I'm using AI CS2, and am running OSX 10.3.9. I use the copy/ paste function to copy graphs from a graphing program (Kaleidagraph) into illustrator. Whenever I paste a line graph with error bars, the error bars are always slightly off center to the ob
-
Crystal 10, RAS 10 Stack overflow
On Crystal 10, RAS 10 using Crystal Interactive Viewer. The error occurs when closing the viewer window. I receive a java alert: "Stack Overflow at line: 63" When I debugged I fount the error in the rendered javascript. The debugger stopped on this
-
Sustitution of System.out.println in Graphical mode
Dear Sirs: I am changing my applications to graphical mode. I would like to know what is the command that substitutes System.out.println in graphical mode. Thanks in advance
-
While going throught the documentaion i found different ways to Call BAPI.Those are Adaptive RFC with WebDynpro, SAP Java Resource Adapter, SAP Enterprise Connector,SAP Java Connector. We have SSO setup for portal and Backend R/3 using logon ticket